"LDConfigSetSSLCertificateAuthority" and "LDConfigSetVerifyPeer" are not available from 3.0.

[ngangomsamananda]

Is your feature request related to a problem? Please describe.
We are updating client sdk from v2.5.2 to v3.4.0 (c binding) but the equivalent replacement of LDConfigSetSSLCertificateAuthority and LDConfigSetVerifyPeer are not available.

• LDConfigSetSSLCertificateAuthority: Set the path to the SSL certificate bundle used for peer authentication.

• LDConfigSetVerifyPeer : Set whether to verify the authenticity of the peer's certificate on network requests.

  Describe the solution you'd like
  Please provide the replacement for LDConfigSetSSLCertificateAuthority and LDConfigSetVerifyPeer.

  Describe alternatives you've considered
  A clear and concise description of any alternative solutions or features you've considered.

  Additional context
  Add any other context about the feature request here.

[cwaldren-ld]

Hi @ngangomsamananda, you are correct, these are not available in the SDK at the moment.

I have filed an internal feature request.

Filed internally as 238927.

[ngangomsamananda]

@cwaldren-ld Thank you.
How long does it take a feature request to complete? Will it be available in the next SDK release?

[cwaldren-ld]

Hi @ngangomsamananda , I cannot provide an estimate, but I will address it as soon as I am able.

[ngangomsamananda]

Hi @cwaldren-ld, is there any particular reason why LDConfigSetSSLCertificateAuthority and LDConfigSetVerifyPeer are not included in v3.x?
Could you please take up this issue on priority than the other tickets (#392 and #394) which I had requested? We are not able to complete the sdk update because of these APIs.

[cwaldren-ld]

Hi, please accept my apologies for slow response as I am out of the office. I will prioritize this feature when I return next week.

…

On Tue, Apr 16, 2024, 6:15 AM ngangomsamananda ***@***.***> wrote: Hi @cwaldren-ld <https://github.com/cwaldren-ld>, is there any particular reason why LDConfigSetSSLCertificateAuthority and LDConfigSetVerifyPeer are not included in v3.x? Could you please take up this issue on priority than the other tickets ( #392 <#392> and #394 <#394>) which I had requested? We are not able to complete the sdk update because of these APIs. — Reply to this email directly, view it on GitHub <#385 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AWJYQJYILEDZXCXWRRCMBQTY5UI6LAVCNFSM6AAAAABFSVEJG2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJYHE2DQMRYGM> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[ngangomsamananda]

@cwaldren-ld No worries. In one of the tickets, you had mentioned you will be out of office this week. I have added the comment so that you can have a look when you come back.

[cwaldren-ld]

Hi @ngangomsamananda , the reason these APIs were not included was because we didn't have a proven use-case for them.

Since you have requested them, I have begun work here: #391

I will update you when the work is complete.

[ngangomsamananda]

@cwaldren-ld Thank you so much.

[cwaldren-ld]

Hi @ngangomsamananda , I apologize this is taking longer than expected. I am still working on it.

The LDConfigSetVerifyPeer will be released first, then LDConfigSetSSLCertificateAuthority will come after.

[ngangomsamananda]

@cwaldren-ld Let me know when LDConfigSetVerifyPeer is release. I appreciate you for working this on priority.

[cwaldren-ld]

Hi @ngangomsamananda , we have released C++ Client v3.5.0 with support for disabling Peer Verification in TLS handshake.

Here is a link to the docs.

Example:

// First, create a new TLS Config builder
LDClientHttpPropertiesTlsBuilder tls_builder = LDClientHttpPropertiesTlsBuilder_New();

// Disable peer verification 
LDClientHttpPropertiesTlsBuilder_SkipVerifyPeer(tls_builder, true);

// Assuming you have an existing LDClientConfigBuilder
LDClientConfigBuilder_HttpProperties_Tls(config, tls_builder);

Please note, the SDK will emit logs informing you that TLS peer verification is disabled, since it can be considered a security flaw in many scenarios. You can disregard the log message if you use this feature.

[ngangomsamananda]

@cwaldren-ld Thank you so much. I will check and let you know.
One thing: is LDClientHttpPropertiesTlsBuilder_Free() need to be call? I saw this in the docs you have shared.

[cwaldren-ld]

Not normally.

If you pass the TLS builder into the HttpPropertiesBuilder, there is no need to call LDClientHttpPropertiesTlsBuilder_Free() (since the ConfigBuilder takes ownership of it.)

If you do not pass it into the HttpPropertiesBuilder, then yes you must call LDClientHttpPropertiesTlsBuilder_Free() to avoid memory leak.

Relevant part from the docs on LDClientHttpPropertiesTlsBuilder_Free():

Frees a TLS options builder. Do not call if the builder was consumed by the HttpProperties builder.

[ngangomsamananda]

Hi @cwaldren-ld , till now the replacement for LDConfigSetVerifyPeer appears to be working fine. If I face any issue, I will reach out to you. Thanks

[cwaldren-ld]

Hi @ngangomsamananda , please check out #409 branch (cw/sc-244781/custom-ca) when you have a chance and test the new API:

// First, create a new TLS Config builder
LDClientHttpPropertiesTlsBuilder tls_builder = LDClientHttpPropertiesTlsBuilder_New();

// Set path to a custom CA file
LDClientHttpPropertiesTlsBuilder_CustomCAFile(tls_builder, "path/to/your/custom_ca.pem");

// Assuming you have an existing LDClientConfigBuilder
LDClientConfigBuilder_HttpProperties_Tls(config, tls_builder);

If you are unable to test the branch, please wait for the upcoming release.

[ngangomsamananda]

@cwaldren-ld I will do the testing when it is release. Thanks for working on that API.

[cwaldren-ld]

Hi @ngangomsamananda , release is available here: https://github.com/launchdarkly/cpp-sdks/releases/tag/launchdarkly-cpp-client-v3.6.0

[ngangomsamananda]

Hi @cwaldren-ld, thank you so much for providing the new API's in short time.